On Sat, 2002-11-16 at 07:09, Pierre Abbat wrote:
LearII uploaded the following, which appears to be an attempt to read from one port on one box and write to a port on another box. He also uploaded another PHP file, which was an attempt to list the files on the server. PHP doesn't run in the upload directory, and he left out the semicolons, but would someone please block him?
That reminds me -- although PHP scripts do not run in our upload directory, HTML files containing JavaScript are possible. If no one catches them, a wikipedia user could be tricked into viewing the file and, if they have Javascript enabled, their login cookies could be stolen, including the password hash if 'remember password across sessions' is enabled.
Three ways around this come to mind: 1) A tighter cookie path could prevent untrusted files in /upload/ from reading the cookie. But, we have three paths to worry about which need to access the cookie: / (main page, raw host url) /wiki/ (normal pages) /w/ (directly linking the script for various options; edit etc) Currently we can serve all three only by setting the cookie path to /, which lets the whole site read them. Either we need to change the paths (force / to redirect to /wiki/Main_Page and use /wiki/Foo?bar instead of /w/wiki.phtml?title=Foo&bar) or think of something else.
2) Don't allow HTML files to be uploaded, or serve them with plain text mimetype. This could be annoying.
3) Allow HTML files to be uploaded, but attempt to strip out javascript. This could be annoying.
-- brion vibber (brion @ pobox.com)